Grid Authentication and Authorization with Reliably Distributed Services GAARDS

1
Grid Authentication and Authorization with
Reliably Distributed Services (GAARDS)
Open Grid Forum 19 January 31, 2007 Chapel Hill,
NC Stephen Langella Ohio State
University langella_at_bmi.osu.edu

2
Agenda

• caBIG
• caGrid
• caGrid Security Overview (GAARDS)
• Dorian
• Authentication Service
• Grid Trust Service (GTS)
• Grid Grouper
• Authz / Common Security Module (CSM)
• Additional Information

3
National Cancer Institute 2015 Goal
Relieve suffering and death due to cancer by the
year 2015
4
Cancer Biomedical Informatics Grid (caBIGTM)

• Need Enable investigators and research teams
  nationwide to combine and leverage their findings
  and expertise in order to meet NCI 2015 Goal.
• Strategy Create scalable, actively managed
  organization that will connect members of the
  NCI-supported cancer enterprise by building a
  biomedical informatics network
• National Cancer Institute Initiative
• Over 800 Participants
• Over 80 Organizations
• Over 70 Projects

5
caBIG Community Organization
6
caGrid

• Grid Infrastructure for caBIG
• Enterprise Level Grid Components
• caGrid Components
• Grid Service Graphical Development Toolkit
  (Introduce)
• Metadata
• Advertisement and Discovery
• Semantic Services
• Data Service Infrastructure
• Analytical Service Infrastructure
• Identifiers
• Workflow
• Security

7
GAARDS Overview

• Grid Authentication and Authorization with
  Reliably Distributed Services (GAARDS)
• GAARDS provides services and tools for the
  administration and enforcement of security policy
  in an enterprise Grid.
• Developed on top of the Globus Toolkit
• Extends the Grid Security Infrastructure (GSI)
• Provide enterprise services and administrative
  tools for
• Grid User Management
• Identity Federation
• Trust management
• Group/VO management
• Access Control Policy management and enforcement
• Integration between existing security domains and
  the grid security domain.

8
GAARDS Components

• Dorian
• Grid User Account Management
• Integration point between external security
  domains and the grid.
• Allows accounts managed in external domains to be
  federated and managed in the grid.
• Dorian allows users to use their existing
  credentials (external to the grid) to
  authenticate to the grid
• Grid Trust Service (GTS)
• Creation and Management of a federated trust
  fabric.
• Supports applications and services in deciding
  whether or not signers of digital
  credentials/user attributes can be trusted.
• Supports the provisioning of trusted certificate
  authorities and corresponding CRLS.
• Grid Grouper
• Group management service for the grid
• Provides a group-based authorization solution for
  the Grid
• Enforce authorization policy based on membership
  to groups

9
GAARDS Components

• Authentication Service
• Integrates existing credentials providers into
  the grid.
• Provides a uniform grid interface for
  authenticating to existing credential providers.
• Applications can communicate with any credential
  provider.
• Authz/Common Security Module (CSM)
• Provides a centralize approach to managing and
  enforcing access control policy authorization.
• Security Metadata
• Ensures communication interoperability between
  grid services

10
GAARDS in Action
11
GAARDS in Action
User authenticates to local credential provider
using your everyday user credentials
Authenticate with Local Credential Provider
SAML Assertion
12
GAARDS in Action
Application obtains grid credentials from Dorian
using SAML provided by the local provider.
SAML Assertion
Grid Credentials
13
GAARDS in Action
Application uses grid credentials to invoke
secure grid services.
Grid Credentials
14
GAARDS in Action
Should I trust the credential signer?
Grid Service authenticates the user by asking the
GTS whether or not the signer of the credential
should be trusted.
15
GAARDS in Action
Authorization Grid Service asks CSM or their
access control policy enforcer whether or not the
user can perform X and resource Y.
Is Authorized?
16
GAARDS in Action
Is member of?
Authorization Alternative Grid Service can
enforce local policy based on user membership to
groups maintained in Grid Grouper.
17
Dorian

18
Grid Account Management is Difficult

• User required to manage long term certificate
  and private key.
• How are they obtained?
• Traditionally user generate a key pair and
  certificate request locally, then contact (email)
  a CA administrator to get a signed certificate.
• Mobility Issues
• User generally work on more that one computer
• Certificate and private key need to be available
  to users on each machine.
• Traditionally users need to copy around
  certificate and private key.
• Hassle for the users, some of which dont have
  the expertise to accomplish
• Security Concerns.
• Difficult to administrate
• Few tools for administrate provisioning of user
  accounts.
• Difficult to revoke accounts
• Limited information available to administrators
  for making decisions
• Why cant they leverage their existing accounts
  to access the grid?

19
Dorian

• Grid User Account Management
• Administrative interface for account provisioning
  and management.
• Built in Certificate Authority
• Manages Grid Credentials for each user.
• Enables users to authenticate and create grid
  proxies, which they may use to access the grid.
• Identity Management and Federation
• Integration point between external security
  domains and the grid.
• User may use existing credentials to obtain a
  grid proxy.
• Users authenticate to IdP, obtain a SAML
  assertion (proof) which is then given to Dorian
  to facilitate the creation of a grid proxy.
• Automated Account Creation and Provisioning
• Built in Identity Provider
• Comprehensive Administrative UI

20
Dorian

• Proxy Creation
• Users authenticate to IdP.
• Obtain a SAML assertion (proof) from IdP.
• Send SAML Assertion to Dorian in exchange for a
  grid proxy.
• Proxy Creation (Detailed)
• User Authenticates to Local IdP
• Local IdP Issues Signed SAML Assertion to user.
• User Authenticates to Dorian with SAML Assertion
• Dorian verifies the signature of the SAML
  Assertion.
• Signing IdP must be registered with Dorian is a
  trusted provider
• Dorian locates users grid account or creates one
  if does not exist.
• Dorian ensures users has rights to create a
  proxy
• Client and Dorian negotiate to create a proxy.

21
Dorian Proxy Creation

• Proxy Creation Workflow
• Client authenticates with Local IdP
• Client creates public/private key pair to use for
  grid proxy.
• Client requests Dorian to create a grid proxy.
• Dorian verifies that the SAML assertion provided
  by the user is signed by a Trusted IdP and that
  the user has a valid account.
• Dorian locates the users grid credentials,
  private key and certificate
• Dorian uses the public key provided to create a
  proxy certificate and signs it with the users
  private key
• Dorian returns the proxy certificate to the user.
• The user may now use the proxy to authenticate to
  grid services

SAML Assertion
SAML Assertion
Username / Password
SAML Assertion
Signed
22
Grid User Account Creation

• A grid account is created the first time a user
  accesses Dorian with a SAML Assertion signed by a
  registered Trusted Identity Provider
• Each grid account has a status associated with
  it.
• Active, Pending, Suspended, Expired
• Only users with an Active Status will be given
  access to the grid.
• The initial status of a user account upon
  creation depends on the user policy configured
  with their IdP.
• A User Policy is applied to a users account
  every time they request that a proxy is created.
• User Policies enable the administration of Dorian
  to be as hands on/off as the administrators wish.

23
Grid User Accounts

• Grid User Account Managed through Grid Service
  Interface using Admin UI
• Grid User Account
• IdP Local User Id
• Uniquely Identifies a user within the context of
  an IdP
• First Name
• Last Name
• Email
• Users role with respect to Dorian
• User Account Status
• Grid Credentials
• Private Key
• Long term Certificate
• Grid Identity
• Dorian CA Metadata
• Trusted IdP Id
• Local User Id

/OOSU/OUBMI/OUcaGrid/OUDorian/OUlocalhost/OU
IdP 1/CNjdoe
Local User Id
Dorian CA Metadata
IdP Id
24
Managing Trusted Identity Providers

• Trusted Identity Provider An Identity Provider
  in which Dorian is configured to trust and manage
  grid user accounts.
• Id - Dorian assigned Identifier for the IdP.
• Name Human Readable Name for easy
  identification
• Status Active / Suspended
• User Policy Executed when users authenticate,
  dictates a policy to apply to a users account
• Authentication Method
• IdP Certificate - Certificate whose corresponding
  private key will be used in signing SAML
  assertions.

25
Dorian Identity Provider

• Dorian Identity Provider (Dorian IdP)- Enables
  developers, smaller groups, research labs,
  unaffiliated users, and other groups without an
  IdP to use Dorian as their IdP, such that they
  may leverage Dorian for creating grid
  credentials.
• Registration- Provides a registration mechanism
  through the grid service interface.
• Authentication- Username/Password Authentication
  over grid service interface, successful
  authentication returns a SAML assertion which can
  later be consume by Dorian in exchange for a grid
  proxy.
• Account Management Provides administrative
  operations for managing Dorian IdP accounts.

26
Dorian IdP Registration / Authentication

• Potential Users obtain and account on the Dorian
  IdP by registering.
• Grid Service Interface provides a mechanism for
  registering with the Dorian IdP account.
• Dorian GUI provides graphical interface for
  registering with the Dorian IdP
• Account creation depends on how the Dorian IdP is
  configured
• Auto Creation
• Manual Creation
• Once Approved, registered users can authenticate
  (username, password) to the Dorian IdP to obtain
  a SAML Assertion which can then be used to create
  a proxy.

27
Dorian IdP User Management

• Dorian IdP User Management
• Manage User Account Information
• Manage Account Status
• Grant IdP Admin Rights
• Account Management done through grid service
  interface, only users with admin rights may
  manage accounts.
• Full Account Management Support through the
  Dorian GUI.

28
Authentication Service

29
Authentication Service

• The role of the AuthenticationService is to
  provide a uniform grid interface for
  authenticating to existing credential providers.
• Leveraged as a Integration point between local
  identity management and Grid identify federation.
  
• To achieve this goal, we define a framework as a
  set of interfaces that can be implemented by a
  credential provider
• caGrid provides an default implementation that
  exposes the Common Security Module (CSM) as an
  IdP.

Supported Credential Providers

• LDAP
• RDBMS

Dorian
Authentication Service
Local Identity management
30
Authentication Service - Design
Authentication Service
Credential Providers can be integrated by
implementing this interface
Authentication Provider Framework
AuthenticationProvider
Created Using Introduce Toolkit
SubjectProvider
SAMLProvider